• Homepage
  • Blog
  • General
  • Addressing the Criticisms against the United Nations Convention against Cybercrime

Addressing the Criticisms against the United Nations Convention against Cybercrime

by Nguyen Thanh Trung

Cybercrime is a crisis brought about in the digital age. A recent report by the United Nations Office on Drugs and Crime (‘UNODC’) estimates financial losses between US$18 billion and US$37 billion from cyber scams targeting victims in East and Southeast Asia in 2023 alone. Cybercrime also disrupted the global supply chain (a ransomware virus attack on Maersk – the biggest shipping company in the world – in 2017 paralyzed a fifth of world seaborne trade), and threatened national security (a cyber-attack in 2022 shut down essential services in Costa Rica and forced the government to declare a national emergency). Women and children have also been found victims of sexual exploitation and abuse through online grooming.

As the famous saying goes, only a crisis – actual or perceived – produces real change. On 24 December 2024, after three years of negotiation, the UN General Assembly adopted the landmark United Nations Convention against Cybercrime (UNCC), a multilateral instrument aimed at combating cybercrime and strengthening international cooperation to protect societies from digital threats. The draft text of the Convention was adopted unanimously in a UN General Assembly Resolution and will be open for signature in Ha Noi, Viet Nam. It will enter into force 90 days after being ratified by the 40th signatory.

As the UNCC will have a vast impact on the conduct in cyberspace, the Convention was closely inspected by non-state stakeholders, such as non-governmental organisations (NGOs) and human rights advocate groups. Some observers have raised concerns that the Convention would undermine democracy, human rights and the rule of law and jeopardise the safety and privacy of communities and Internet users globally. In this post, I will argue that there are sufficient safeguards and mechanisms put in place by the States Parties to prevent the Convention from being used outside of its objective as a multilateral tool to address cybercrime.

The Main Features of the Cybercrime Convention

The UNCC is not the first multilateral instrument dealing with the use of information and communication technologies (ICT) for criminal purposes. The 2001 Convention on Cybercrime of the Council of Europe (The Budapest Convention) and the 2010 Arab Convention on Combating Information Technology Offences are instruments combating cybercrime in a regional setting and played an important role in shaping the framework of the UNCC. The three Conventions share four main features:

First, the criminalisation of a list of offences using computers. This set of provisions requires a State Party to adopt domestic legislation to criminalise certain offences as defined in the Convention. The type of offences may include the core cybercrimes that owe their existence to a computer, such as illegal access of information or hacking of a computer network (cyber-dependent crimes) or those that use or benefit from computers in their commission, such as child pornography (cyber-enabled crimes).

Second, the basis for the State Party to establish its jurisdiction over the offences stated above. As cybercrime is transboundary in nature, where a perpetrator can conduct illicit activities from a territory foreign to the victim, it comes as no surprise that the solution to the problem requires the concerted effort of the international community. This Part requires the States Parties to assume competence when the offence is committed in their jurisdiction, such as in a State Party’s territory, on board a ship or aircraft belonging to the Party or involving a natural person of the State Party’s nationality. Notably, while the Budapest and the Arab Convention only provide jurisdiction in cases where an offence is conducted by one of its nationals (active personality jurisdiction), the UNCC arguably went further by allowing a State Party to assume competence over a perpetrator if the act is committed against a national of that State (passive personality jurisdiction) (Art. 22.2(a) UNCC).

Third, procedural tools to make the investigation of cybercrime and the securing of electronic evidence in relation to any crime more effective. This Part requires the State Party to adopt domestic legislation as may be necessary to allow the search and seizure of stored electronic data, including traffic data that might be related to the offences.

Fourth, international judicial cooperation on cybercrime and e-evidence provides options for extradition and mutual legal assistance among the States Parties where the offences fall within their jurisdiction. In this regard, the UNCC goes further than the Budapest and the Arab Conventions by setting up an institutional body called the Conference of the States Parties to the Convention (Art. 57) and a Secretariat (Article 58) that manages the implementation of the Convention by the States Parties as well as the coordination with the secretariats of relevant international organisations, such as the UNODC.

The Criticisms of the Convention

As the UNCC uses borrowed languages from the Budapest and Arab Convention, it also shares some of the criticisms that were raised when these Conventions came about as well as some novel ones.

The first criticism is that the UNCC, similar to other regional cybercrime conventions, could be used as a means for governments to collect private information of the users on the internet and, hence, legitimise censorship. This criticism stems from the concern that these cybercrime conventions require the State Party to adopt procedural measures and law enforcement under its domestic law that allows the competent authorities to search and seize ICT data stored in data centres in its territory (Art. 28.1(b)) or order a person in its territory to submit specified electronic data related to the offences. Notwithstanding the fact that some of these measures have already been found in the domestic law of most jurisdictions (see here, here, here and here), the UNCC require the States Parties to establish conditions and safeguards under their domestic law to prevent abusive actions. Particularly, each State Party shall ensure that the implementation of the procedural laws is subjected to conditions under its domestic law, such as independent judicial review, effective remedy and other safeguards in accordance with international human rights law (Arts. 24 and 36(2)). These provisions will help to ensure that the process of collecting evidence to address the offences will ‘incorporate the principle of proportionality’ (Art. 24(1)) and not lead to abuse of power by the competent authorities.

The second criticism derives from the concern that the UNCC incorporates the passive personality jurisdiction doctrine, where a State Party would have competence over an offence committed against its nationals. In an extreme case, a State Party to the Convention could allege that an individual had committed a serious crime against one of its nationals in its territory under domestic law and request another State Party to extradite that individual to be tried in its jurisdiction. As put forward by some critics, the inclusion of this provision is an oversight of the drafters and can open the door to prosecuting dissidents for political reasons. However, a closer look at the negotiation history and other provisions of the Convention shows that this allegation is largely unfounded. In the drafting history of the UNCC, several countries have tabled the criminalisation of certain crimes as part of cyber-enabled crimes, such as posting online content related to extremism, hate speech or sending electronic messages that are grossly offensive and aimed at causing annoyance or inconvenience. However, the final version of the Convention does not incorporate such overbroad offences. The travaux préparatoires show that the States Parties opt for a narrow and exhaustive list of the types of crimes that can fall under the Convention. Moreover, throughout the UNCC, other provisions ensure that the Convention would not be abused for other unintended purposes, such as dissident suppression. Specifically, States Parties shall carry out their obligations under the Convention, especially those related to the passive personality jurisdiction, with respect to the territorial integrity of States and non-intervention in the domestic affairs of other States (Art. 5). Under Article 6, they shall not use the Convention to suppress human rights or fundamental freedoms, including the rights related to the freedoms of expression, conscience, opinion, religion or belief, peaceful assembly and association. As elaborated in the explanatory notes of the Ad hoc Committee of the Convention, these provisions aim at excluding ‘certain behaviours, which could be treated differently across jurisdictions’. Moreover, the State Party where the suspect resides does not have an obligation to extradite the suspect if it has substantial grounds for believing that the request for extradition has been made to prosecute or punish a person on account of that person’s sex, race, language, religion, nationality, ethnic origin or political opinions (Art. 37(15)). As such, it can be concluded that the drafters were made aware of this concern and have affirmed that the Convention must not be interpreted for the purpose of violating international human rights law.

Another line of criticism is that the UNCC may accommodate intrusive police surveillance practices across the participating countries that do not have a good record for upholding human rights domestically. However, this argument misses the point that the Convention was never intended to be a human rights treaty but an instrument to address serious criminal activities where the perpetrators have been exploiting loopholes in the transnational nature of cyber activities to cause adverse impacts on States, enterprises and the well-being of individuals and society as a whole. Moreover, the Convention will arguably help strengthen human rights standards in cyber activities. With the entered into force of the UNCC, the implementation of domestic policy on cybercrime, from being largely unwatched, will be put under the supervision of the Conference of the States Parties, established under Article 57 of the Convention. The Convention also provides for a dispute settlement mechanism under Article 63 that if the concerned States Parties fail to resolve a dispute through negotiation or establishing an arbitration ‘any one of those States Parties may refer the dispute to the International Court of Justice by request in accordance with the Statute of the Court.’ As such, there are political and judicial means for a State Party to challenge an anti-cybercrime measure imposed by a recalcitrant State if that measure is alleged to be contrary to international human rights law.

Conclusions

The UNCC marks an important milestone for the international community in addressing the harmful effects of crimes caused by the misuse and abuse of ICTs. It echoed important elements in regional initiatives and declarations to prevent and combat cybercrime. It is a necessary instrument to fill in the absence of a global cyber law and address the trans-border nature of cybercrime that affects every sovereign State and well-being of individuals. While the effectiveness and potential impact of the Convention, when it enters into force, is yet to be seen, this post has argued that there are sufficient substantive, procedural and institutional safeguards put in place to make sure that its provisions will not lead to abusive actions.

Nguyen Thanh Trung is Research Fellow (Ocean Law and Policy) at Centre for International Law, National University of Singapore. He holds a PhD in Law from the University of Luxembourg.